Forum Discussion

Tom13984's avatar
Tom13984
Copper Contributor
Aug 11, 2020

ASR Rules block launching Teams meetings from Outlook

After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.

 

The following is logged:

Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
 For more information please contact your IT administrator.
 	ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
 	Detection time: 2020-08-11T07:03:51.689Z
 	User: CACT\user
 	Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe
 	Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
 	Security intelligence Version: 1.321.1142.0
 	Engine Version: 1.1.17300.4
 	Product Version: 4.18.2007.8

 

Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?

6 Replies

  • jschwager's avatar
    jschwager
    Copper Contributor
    Dec 03, 2021
    Were you ever able to figure this one out? I'm trying to roll out this ASR rule but I'm seeing the same exact behavior in the audit entries. I'd like to figure it out before I enable the rule and cause problems. Thanks!
    • grandzazz's avatar
      grandzazz
      Copper Contributor
      Jun 13, 2022

      jschwager 

      Hi, I'm in the same case of you. I try to active this ASR rule but for around of 2500 employes only 4-5 users have this issue. I don't find why only some users...  I don't want to do a exception only for that, and create a breach of security.  Do you find anythings since your last posts?
      Thank you for your help!

      • jschwager's avatar
        jschwager
        Copper Contributor
        Jul 06, 2022
        I ended up having the user reinstall Teams and the issue went away.
  • 0fflinedocs's avatar
    0fflinedocs
    Brass Contributor
    Aug 13, 2020

    Tom13984  Which Windows 10-version have you seen this one on? Multiple different versions? Your PC's have W10 E3 as license?

     

    Feels odd, I have this ASR-rule in block on multiple computers where this problem have not surfaced. In 124 examples only excel, powerpoint and word has been affected in an example environment and these users/computers have accessed teams-meetings from outlook.

    • Tom13984's avatar
      Tom13984
      Copper Contributor
      Aug 13, 2020
      Thanks for your reply. We're running E5 on these devices. It is occurring on multiple machines. They are all 2004.
      • 0fflinedocs's avatar
        0fflinedocs
        Brass Contributor
        Aug 14, 2020

        Tom13984  No problems. I haven't encountered this issue. I tested the rule and opened a Teams-meeting in Outlook on a Windows 2004 + with E5. Maybe it's related to your office-patch level somehow? Do you run O365 C2R SAC? If I were you I would open a case to Microsoft, this can't be expected behaviour. 

         

        Anyway, when you have E5 you can exclude stuff here: https://security.microsoft.com/asr?viewid=exclusions



        https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction

Resources